0

In an MVC application I have a number of rtf files which are used as templates. The app loads them, fills the blanks and outputs the result as FileContentResult. Users of the site are not supposed to have direct access to those rtf files. Where would be good place in the project to place them so access to them would be as descried?

I understand that I could put the files outside of the project folder and provide absolute path to them, but it sounds like a bad idea for a number of reasons. First, those files are integral part of the project and moving them outside of the project would mess are subversion system. Second we run several versions of the app on two different servers, so we don't want to make publishing any more complicated than it is. We don't really need the various versions to share those files, it's fine if each version of the app has a copy of them.

jahu
  • 5,427
  • 3
  • 37
  • 64
  • Would it be possible to put them in a database? – Peter Smith May 29 '14 at 10:31
  • @PeterSmith Possible yes, but we don't want to use that solution. I think I came across a solution to my problem while searching for a solution to another problem. I guess I wasn't phrasing the question right. – jahu May 29 '14 at 10:35

2 Answers2

1

Let's say you have a directory Templates in your root asp.net folder where the templates will be.

If you add the rtf extension to the list of handled file extensions in IIS for the ASP.NET handler and deny access to that folder in the web.config, that would be a solution. If you are using IIS7 you can use Request filtering (http://www.iis.net/learn/manage/configuring-security/use-request-filtering).

<location path="Templates">
    <system.web>
        <authorization>
             <deny users="*"/>
        </authorization>
    </system.web>
 </location>
nickvane
  • 2,979
  • 2
  • 20
  • 23
  • This is very close to the solution I came across. I'll post mine once I make sure that it works 100% the way I want it to. – jahu May 29 '14 at 10:50
0

After searching for a solution to another problem, I realized, that in fact I'm asking a wrong question here. I assumed that MVC already has a solution for my problem (and it partially does in form of App_Data folder). However the question that I should have been asking myself before should have been "How do I restrict access to a folder in my project, so users can't get its files directly?".

The answer to this question is similar to what nickvane has written (or rather his answer is an alternative solution to the problem). Based on what I found here, I can block access to a folder by placing a Web.config file in it. The contents of the Web.config file should be as follows:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authorization>
      <deny users ="*" />
    </authorization>
  </system.web>
</configuration>

I just tested it and the app can still access the files in the folders, but users cannot (which is what I wanted).

Community
  • 1
  • 1
jahu
  • 5,427
  • 3
  • 37
  • 64